Do you save passwords on your browser? You might be getting tracked
A new study reveals that web trackers are accessing your usernames (email IDs) via browsers’ autofill password managers.tech Updated: Jan 02, 2018 15:36 IST
Most of us save our log-in credentials on browsers for sheer convenience. But this might not be a safe practice. In a new study researchers have found that certain third-party scripts can be misused to steal identifiable data from these native password managers on these browsers.
“We found two scripts using this technique to extract email addresses from login managers on the websites which embed them. These addresses are then hashed and sent to one or more third-party servers. These scripts were present on 1110 of the Alexa top 1 million sites,” said the researchers in a blog post.
In simpler words, researchers have discovered two third-party scripts called AdThink and OnAudience which can track users whichever website they’re accessing. These scripts can be potentially used to serve targeted advertising. For instance, researchers discovered that AdThink was found using sending data to a consumer data company called Axicom.
Fortunately, these third-party scripts have only been accessing usernames, but the loophole can potentially be used to access more identifiable data including passwords.
“Why collect hashes of email addresses? Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier. A user’s email address will almost never change — clearing cookies, using private browsing mode, or switching devices won’t prevent tracking. The hash of an email address can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps. It can also serve as a link between browsing history profiles before and after cookie clears,” researchers explained.
Researchers have also suggested measures browsers can take to prevent such tracking scripts.
“Publishers can isolate login forms by putting them on a separate subdomain, which prevents autofill from working on non-login pages. This does have drawbacks including an increase in engineering complexity. Alternately they could isolate third parties using frameworks like Safeframe. Safeframe makes it easier for the publisher scripts and iframed scripts to communicate, thus blunting the effect of sandboxing. Any such technique requires additional engineering by the publisher compared to simply dropping a third-party script into the web page,” they added.
You can test the attack yourself by visiting a demo page set up by the researchers. On this website, you can enter a fake email ID and password.
“An invisible form has been injected into this page by a script loaded from a third-party domain (also controlled by us). This causes the browser’s built-in login manager to automatically fill the injected form with the credentials you saved on the previous page. These credetials belong to the first-party domain (senglehardt.com). Once the form is filled, our third-party script retrieves the information and displays it above,” the demo page reads.